Are you ready for India’s NEW Personal Data Protection Law?

Last updated: 02 January 2019

With the Indian Government releasing the Justice BN Srikrishna Committee of Experts Report on Data Protection recently, a new law in the form of the Personal Data Protection Bill, 2018, is all set to soon become a reality in India.

The draft Personal Data Protection Bill (the Bill) as recommended in the Report is unique in its own way and far more expansive than the present data security laws in the country. For one, the Bill comprehensively covers the very definition of ‘personal data’ – a major point of contention in the present laws. Apart from the obvious identifiers of personal data like name, address and contact details, the draft Bill extends the definition of personal data to include passwords, financial data, health data, sex life, sexual orientation, biometric and genetic data, caste, tribe and religious or political beliefs / affiliations of an individual. By broadening the definition, the draft Bill attempts to get rid of the ambiguity surrounding what is personal data, and what is not.

Second, the draft Bill has proposed setting up of a Data Protection Authority (DPA) – a nodal body to oversee execution and enforce compliance from data fiduciaries (entities – both Public as well as Private, that process personal data) and mandating these data fiduciaries to appoint a Data Protection Officer (DPO) to uphold data protection and privacy. The recommendation to establish a DPA is indeed a unique step, as perhaps for the first time, India would have an Ombudsman exclusively for the protection of personal data.

Third, on the lines of the GDPR, the draft Bill prescribes steep penalties for various violations. Data fiduciaries violating the personal data processing norms prescribed in the Bill, will attract a penalty of Rs. 15 crore or 4% of their annual global turnover, whichever is higher. The draft Bill also prescribes a list of non-bailable and cognizable criminal offenses for obtaining, transferring, or selling personal data in violation of the provisions mentioned in the draft Bill.

Considering the rising incidents of data breaches in the country, a pervasive and stringent data protection law to safeguard sensitive personal data is indeed the need of the hour. As per Gemalto’s 2017 Breach Level Index study, more than 3.24 million data records were stolen, lost or exposed in India in 2017 alone. This year itself, there were two notable data breach incidents that deserve a mention:

1. In April this year, Facebook admitted that the personal data of over 5.5 lac Indian users was shared with Cambridge Analytica through a third-party app that extracted personal data of Facebook users (along with their Facebook Friends) who had downloaded the app.

2. In June this year, the Andhra Pradesh government ordered an audit of all government websites as news spread that the State-run generic medicine store chain, Anna Sanjivini, had erroneously published on their website, the private details – including name, phone number and purchases – of over 27 lac people who bought medicines from them.

Both of the above incidents highlight the urgent need to have a concrete structure, guidelines and policies to safeguard personal data. Something the proposed Personal Data Protection Bill, 2018 aims to achieve.

Is your organisation ready to comply with the upcoming Personal Data Protection law?

In today’s digital world, along with a great user experience, consumers expect security and privacy to go hand-in-hand. As our recent survey of more than 10,000 consumers worldwide shows, 70% of the consumers said that they would stop doing business with a company if it experienced a data breach. And an almost equal number of participants felt that most businesses don’t take the security of user data seriously.

The survey clearly shows that trust is fleeting if organisations don’t do their due diligence to protect their customer data from getting into the wrong hands. As the scale and sophistication of cyber-attacks and data breaches intensify, businesses can no longer afford to take the importance of data protection lightly. Since most organisations now remain reliant on an online ecosystem to conduct business, they must realize that their digital communications can be easily targeted and exposed to cyber-attacks and data breaches.

As the Telecom Regulatory Authority of India (TRAI) Chief, Mr. RS Sharma, pointed out in a recent interview to ET NOW, with a per capita data consumption of around 6GB a month, India is consuming more data than the U.S.A. and China put together. With such huge volumes of data being used, consumers need to be provided protection of their personal data with respect to the ownership, security, and privacy of their data.

He further highlighted in his interview that, encryption is one of the best ways to ensure that the personal data is secured. In simple words, encryption scrambles the data into an unreadable formation with the use of an algorithm to create a key called an encryption key. The data can be unscrambled only if one has access to the encryption key.

Data security is not an option anymore. Hackers and other miscreant elements are evolving and trying to access enterprise data every minute. Your business needs to step up to fend off these attacks.

The proposed Data Protection Act, 2018, is expected to add a sense of structure to the data security ecosystem in the country. However, if you are ready to include security of user data as a business priority, you can start reaping the benefits of being a customer-focused organisation and earn the respect of more customers.